[SCM] Samba Shared Repository - branch v4-10-test updated
Karolin Seeger
kseeger at samba.org
Tue Feb 11 12:27:05 UTC 2020
The branch, v4-10-test has been updated
via f3eebacb127 winbindd: handling missing idmap in getgrgid()
via 8d069f20ec1 s3:auth_sam: map an empty domain or '.' to the local SAM name
via f1b3a95852a s3:selftest: test authentication with an empty userdomain and upn names
via f4706d85b95 s3:auth_sam: introduce effective_domain helper variables
via 731ae2864d8 s3:auth_sam: make sure we never handle empty usernames
via 33b37926b25 s3:auth_sam: unify the debug messages of all auth_sam*_auth() functions
via d5fa47e02ff s3:auth_sam: replace confusing FALL_THROUGH; with break;
from 105e48e2712 script/release.sh: Don't use quotations any longer.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test
- Log -----------------------------------------------------------------
commit f3eebacb127d11598cdeb22e27edd6dcc133b741
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 22 17:00:07 2020 +0000
winbindd: handling missing idmap in getgrgid()
A similar hunk was added via commit
89f753c1fc824fef29aebb7d783ab7e09cd1f04e ("winbind: Use xids2sids in getpwuid"),
but it was missing in commit
e2dda192e7f8b65a5f02120be56cf0f07d03679f ("winbind: Use xids2sids in getgrgid")
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14265
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Feb 5 17:56:58 UTC 2020 on sn-devel-184
(cherry picked from commit 4d0bda9467ac3f45f85f48a281cdb173ce1064eb)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Tue Feb 11 12:26:52 UTC 2020 on sn-devel-144
commit 8d069f20ec164bb5e6ff19ea33c6e65246ef1bb9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 23 16:21:43 2020 +0100
s3:auth_sam: map an empty domain or '.' to the local SAM name
When a domain member gets an empty domain name or '.', it should
not forward the authentication to domain controllers of
the primary domain.
But we need to keep passing UPN account names with
an empty domain to the DCs as a domain member.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 590df382bea44eec2dbfd2a28c659b0a29188bca)
commit f1b3a95852a1338d85712ba0e83a2664a6445f91
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 4 11:32:05 2020 +0100
s3:selftest: test authentication with an empty userdomain and upn names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a9eeea6ef78cc44c8423c7125fa1376921060018)
commit f4706d85b9515eea110f636b73e3cd17ac38a914
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 23 16:21:43 2020 +0100
s3:auth_sam: introduce effective_domain helper variables
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a63e2a312c761093fedb09bd234b6736485a930a)
commit 731ae2864d84e27fc1466852eb88976b1e11c67d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 23 16:17:30 2020 +0100
s3:auth_sam: make sure we never handle empty usernames
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 01b8374e7942141e7f6cbdec7623c981a008e4c1)
commit 33b37926b253e0408a03f5fa04a8231c472f08d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 23 16:13:59 2020 +0100
s3:auth_sam: unify the debug messages of all auth_sam*_auth() functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 72ef8d3a52c1ab07c079a4c014ba8ac7bff528f7)
commit d5fa47e02ffa8bff32456ac1c34b40f0169addbf
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 23 15:48:39 2020 +0100
s3:auth_sam: replace confusing FALL_THROUGH; with break;
There's no real logic change here, but is makes it easier to
understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 85b168c6dac88f5065c0ec6e925937439f2c12ed)
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail.d/empty-domain-name | 7 +++
source3/auth/auth_sam.c | 83 ++++++++++++++++++++++++++++++----
source3/selftest/tests.py | 8 ++++
source3/winbindd/winbindd_getgrgid.c | 4 ++
4 files changed, 93 insertions(+), 9 deletions(-)
create mode 100644 selftest/knownfail.d/empty-domain-name
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail.d/empty-domain-name b/selftest/knownfail.d/empty-domain-name
new file mode 100644
index 00000000000..a1ffcaf7e3c
--- /dev/null
+++ b/selftest/knownfail.d/empty-domain-name
@@ -0,0 +1,7 @@
+^samba3.blackbox.smbclient_auth.empty_domain.domain_creds.smbclient.*as.user.*nt4_member
+^samba3.blackbox.smbclient_auth.empty_domain.domain_creds.smbclient.*as.user.*ad_member
+^samba3.blackbox.smbclient_auth.dot_domain.domain_creds.smbclient.*as.user.*nt4_member
+^samba3.blackbox.smbclient_auth.dot_domain.domain_creds.smbclient.*as.user.*ad_member
+^samba3.blackbox.smbclient_auth.upn.domain_creds.smbclient.*as.*user.*nt4_member
+^samba3.blackbox.smbclient_auth.upn.member_creds.smbclient.*as.*user.*nt4_member
+^samba3.blackbox.smbclient_auth.upn.member_creds.smbclient.*as.*user.*ad_member
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 46958c54d3a..cdb8453b311 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -35,6 +35,17 @@ static NTSTATUS auth_sam_ignoredomain_auth(const struct auth_context *auth_conte
if (!user_info || !auth_context) {
return NT_STATUS_UNSUCCESSFUL;
}
+
+ if (user_info->mapped.account_name == NULL ||
+ user_info->mapped.account_name[0] == '\0')
+ {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
+ user_info->mapped.domain_name,
+ user_info->mapped.account_name);
+
return check_sam_security(&auth_context->challenge, mem_ctx,
user_info, server_info);
}
@@ -66,16 +77,51 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
+ const char *effective_domain = user_info->mapped.domain_name;
bool is_local_name, is_my_domain;
if (!user_info || !auth_context) {
return NT_STATUS_LOGON_FAILURE;
}
- DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
+ if (user_info->mapped.account_name == NULL ||
+ user_info->mapped.account_name[0] == '\0')
+ {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
+ const char *p = NULL;
+
+ p = strchr_m(user_info->mapped.account_name, '@');
+ if (p != NULL) {
+ /*
+ * This needs to go to the DC,
+ * even if @ is the last character
+ */
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ }
+
+ if (effective_domain == NULL) {
+ effective_domain = "";
+ }
+
+ DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
+ effective_domain,
+ user_info->mapped.account_name);
+
+
+ if (strequal(effective_domain, "") || strequal(effective_domain, ".")) {
+ /*
+ * An empty domain name or '.' should be handled
+ * as the local SAM name.
+ */
+ effective_domain = lp_netbios_name();
+ }
- is_local_name = is_myname(user_info->mapped.domain_name);
- is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
+ is_local_name = is_myname(effective_domain);
+ is_my_domain = strequal(effective_domain, lp_workgroup());
/* check whether or not we service this domain/workgroup name */
@@ -84,21 +130,21 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
case ROLE_DOMAIN_MEMBER:
if ( !is_local_name ) {
DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
- user_info->mapped.domain_name, (lp_server_role() == ROLE_DOMAIN_MEMBER
+ effective_domain, (lp_server_role() == ROLE_DOMAIN_MEMBER
? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
return NT_STATUS_NOT_IMPLEMENTED;
}
- FALL_THROUGH;
+ break;
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
if ( !is_local_name && !is_my_domain ) {
DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
- user_info->mapped.domain_name));
+ effective_domain));
return NT_STATUS_NOT_IMPLEMENTED;
}
- FALL_THROUGH;
+ break;
default: /* name is ok */
break;
}
@@ -135,14 +181,25 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
+ const char *effective_domain = user_info->mapped.domain_name;
bool is_my_domain;
if (!user_info || !auth_context) {
return NT_STATUS_LOGON_FAILURE;
}
+ if (user_info->mapped.account_name == NULL ||
+ user_info->mapped.account_name[0] == '\0')
+ {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ if (effective_domain == NULL) {
+ effective_domain = "";
+ }
+
DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
- user_info->mapped.domain_name,
+ effective_domain,
user_info->mapped.account_name);
/* check whether or not we service this domain/workgroup name */
@@ -156,10 +213,18 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
return NT_STATUS_INVALID_SERVER_STATE;
}
+ if (strequal(effective_domain, "") || strequal(effective_domain, ".")) {
+ /*
+ * An empty domain name or '.' should be handled
+ * as the local SAM name.
+ */
+ effective_domain = lp_workgroup();
+ }
+
is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
if (!is_my_domain) {
DBG_INFO("%s is not our domain name (DC for %s)\n",
- user_info->mapped.domain_name, lp_workgroup());
+ effective_domain, lp_workgroup());
return NT_STATUS_NOT_IMPLEMENTED;
}
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 5b9a5e0ba08..8db24d6ca25 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -233,6 +233,14 @@ for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --o
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
+for env in ["nt4_member", "ad_member"]:
+ plantestsuite("samba3.blackbox.smbclient_auth.empty_domain.domain_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '/$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.empty_domain.member_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.dot_domain.domain_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', './$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.dot_domain.member_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', './$USERNAME', '$PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.upn.domain_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME@$REALM', '$DC_PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.upn.member_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$USERNAME@$SERVER', '$PASSWORD', smbclient3, configuration, options])
+
env = "ad_dc"
plantestsuite("samba3.blackbox.smbspool", env, [os.path.join(samba3srcdir, "script/tests/test_smbspool.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', env])
diff --git a/source3/winbindd/winbindd_getgrgid.c b/source3/winbindd/winbindd_getgrgid.c
index aa99e6e2561..24d70161770 100644
--- a/source3/winbindd/winbindd_getgrgid.c
+++ b/source3/winbindd/winbindd_getgrgid.c
@@ -79,6 +79,10 @@ static void winbindd_getgrgid_gid2sid_done(struct tevent_req *subreq)
if (tevent_req_nterror(req, status)) {
return;
}
+ if (is_null_sid(state->sid)) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
+ return;
+ }
subreq = wb_getgrsid_send(state, state->ev, state->sid,
lp_winbind_expand_groups());
--
Samba Shared Repository
More information about the samba-cvs
mailing list